Help with PAT VPN Traffic

Answered Question
Apr 13th, 2010

Hello,


I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a  flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you  have a look over the below config and see if this is correct?


Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Thanks

I have this problem too.
0 votes
Correct Answer by droeun141 about 6 years 9 months ago

Reply sent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Tue, 04/13/2010 - 03:51

Is your 10.0.0.0 subnet class A or class C? What is the subnet mask for the 10.0.0.0 network? If it is class C, it does not overlap with 10.20.90.0/24.

Jennifer Halim Tue, 04/13/2010 - 03:58

Base on your config, I assume you only want traffic to be encrypted from 10.0.0.0/24 subnet, right?

You also need the following static statement:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Here is the sample config for your reference:

PIX: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

IOS:http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

(The concept is the same, there is no sample config on ASA later version).

Jennifer Halim Tue, 04/13/2010 - 04:15

That config guide that you use only translate 1 site, not the other. And it is not an overlapping LAN scenario.

tahirs001 Tue, 04/13/2010 - 04:30

Overall what do i need to add to my config so i can get both sites to Translate?

Jennifer Halim Tue, 04/13/2010 - 04:34

As advised earlier, here is what you need to add:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

tahirs001 Tue, 04/13/2010 - 04:39

Ok thanks, one more thing shall i remove the following statement or keep this in?

static (inside,outside) 192.168.66.0  access-list policy-nat

droeun141 Tue, 04/13/2010 - 05:37

If you need translation on both sides - this is what you need:

SITE A:

access-list VPN_Traffic extended permit ip 192.168.67.0 255.255.255.0 192.168.66.0 255.255.255.0
access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.12.90.0 255.255.255.0
static (inside,outside) 192.168.67.0 access-list policy-nat


SITE B:

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.12.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat

tahirs001 Tue, 04/13/2010 - 05:45

Hi,

Do i have to add this following statement;

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Jennifer Halim Tue, 04/13/2010 - 05:48

There are 2 ways you can configure it:

1) Source and destination NAT as per the initial configuration advise --> NAT only needs to be configured on 1 site

OR/

2) Source NAT as per droeun141 advise --> source NAT needs to be configured on both sites.

droeun141 Tue, 04/13/2010 - 06:03

Cool, I didn't know there was more than one way to do it.

For source & destination NAT - what should the crypto ACL look like for SITE B? do you use the outside local or global address for destination?

tahirs001 Tue, 04/13/2010 - 06:35

It needs to be done on Both sites.

So shall i go with droeun141 config?

So this will be the config;

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Message was edited by: Tahir Saleem

tahirs001 Tue, 04/13/2010 - 07:34

I have just tried to configure the site-to-site (Site B) up with the below config, i got to as far as the following command and then it has kicked me out of the remote site

crypto map outside_map interface outside

Any idea's why this would happen?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

droeun141 Tue, 04/13/2010 - 08:10

Connect to the public address or the new NAT'd address 192.168.66.X.

droeun141 Tue, 04/13/2010 - 08:29

How were you able to connect to 10.20.90.X from SITE A if the tunnel wasn't configured?

droeun141 Tue, 04/13/2010 - 08:47

Probably because when you applied the crypto map it triggered the policy NAT & rendered 10.20.90.X/24 useless.

tahirs001 Wed, 04/14/2010 - 03:17

I have configured one part of site-to-site (remote site) with the below config. How do i bring up the Tunnel?

When i do a show crypto ipsec sa and isakmp i get the following message;

There are no ipsec sas and isakmp sas configured.

Also when i try and VPN through the inside interface it does not connect.

thanks

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

droeun141 Wed, 04/14/2010 - 04:01

The remote site above is B, correct? then we need to see the opposite end.

tahirs001 Wed, 04/14/2010 - 04:07

Correct, Site A config is huge, if i have to post it i will to edit all the IP's which will take ages.

tahirs001 Wed, 04/14/2010 - 04:11

Not yet, I need to get everything working on Site B first before i move on to Site A.

I tried to VPN in through Cisco VPN on the outside interface and it is still denying me access.

Only way i can now access the Remote site if i SSH to the outside interface.

droeun141 Wed, 04/14/2010 - 04:27

You also need to configure the tunnel on site A before it comes active.

tahirs001 Wed, 04/14/2010 - 04:31

ok, how can i resolve the VPN connection?

Can i PM you my Site B config?

Actions

This Discussion